0

我在将 WSO2 身份服务器与 ESB 集成时遇到了问题。

在我按照指南“在 WSO2 产品平台上使用 XACML 细粒度授权”之后,我发现 ESB 已经收到了来自客户端的消息,但我没有发现 ESB 已经向 Identity Server 发送了消息。

我试过wso2esb-4.7.0wso2is-4.1.0

以下是我采取的步骤:

  1. 将 WSO2 Identity Server 配置为 XACML 引擎并启动 Identity Server;

  2. 在 WSO2 ESB 中配置 Entitlement mediator 并启动 ESB;

  3. 在 IDE 中运行客户端代码。

在 ESB 和 IS 中,没有消息输出。

在客户端 IDE 中,控制台中会出现以下消息:

......

13/08/05 15:24:15 INFO deployment.ModuleDeployer: Deploying module: rahas - file:/D:/project/wso2/test/wso2esb-4.7.0/repository/components/plugins/rampart-trust_1.6.1.wso2v8.jar
13/08/05 15:24:15 ERROR sandesha2.SandeshaModule: Could not load module policies. Using default values.
13/08/05 15:24:15 INFO tcp.TCPTransportSender: TCP Sender started
13/08/05 15:24:17 ERROR engine.AxisEngine: Missing wsse:Security header in request
org.apache.axis2.AxisFault: Missing wsse:Security header in request
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
    at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    ... 11 more
Exception in thread "main" org.apache.axis2.AxisFault: Missing wsse:Security header in request
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
    at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    ... 11 more

以下是客户端源码:

package org.wso2.entitlement.sample;

import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.Constants;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;

public class WSEntitlementTestClient {

 final static String ADDR_URL = "http://localhost:8280/services/echo"; //"http://localhost:8280/services/MarketDataService";
 final static String TRANS_URL =  "https://localhost:8243/services/EntitlementService"; // "https://localhost:8243/services/EntitlementProxy";

 public static void main(String[] args) throws Exception {
  ServiceClient client = null;
  Options options = null;
  OMElement response = null;
  ConfigurationContext context = null;
  String trustStore = null;

  // You need to import the ESBs public certificate to this key store.
  trustStore = "wso2carbon.jks";
  // We are accessing ESB over HTTPS - so need to set trustStore parameters.
  System.setProperty("javax.net.ssl.trustStore", trustStore);
  // Password of mykeystore.jks
  System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

  // Create configuration context - you will have Rampart module engaged in the client.axis2.xml
  context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/axis2_client.xml");

  // This is the security policy of the proxy service applied UT.
  StAXOMBuilder builder = new StAXOMBuilder("policy.xml");
  Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());

//    context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml");
  client = new ServiceClient(context, null);
  options = new Options();
  options.setAction("urn:echoString");
  // This is the addressing URL pointing to the echo service deployed in ESB
  options.setTo(new EndpointReference(ADDR_URL));
  // To the ESB, the proxy service
  options.setUserName("admin");
  options.setPassword("admin");
  // TRANS_URL points to proxy service
  options.setProperty(Constants.Configuration.TRANSPORT_URL, TRANS_URL);
  options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
  client.setOptions(options);
  client.engageModule("addressing");
  client.engageModule("rampart");
  response = client.sendReceive(getPayload("Hello world"));
  System.out.println(response);
 }

 private static OMElement getPayload(String value) {
  OMFactory factory = null;
  OMNamespace ns = null;
  OMElement elem = null;
  OMElement childElem = null;

  factory = OMAbstractFactory.getOMFactory();
  ns = factory.createOMNamespace("http://echo.services.core.carbon.wso2.org", "ns1");
  elem = factory.createOMElement("echoString", ns);
  childElem = factory.createOMElement("in", null);
  childElem.setText(value);
  elem.addChild(childElem);
  return elem;
 }
}

以下是 Identity Server 中的授权策略:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Note" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Note description    </Description>
<Target>
  <AnyOf>
     <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo</AttributeValue>
           <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </Match>
     </AllOf>
  </AnyOf>
</Target>
<Rule Effect="Permit" RuleId="primary-group-rule">
  <Target>
     <AnyOf>
        <AllOf>
           <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
           </Match>
        </AllOf>
     </AnyOf>
  </Target>
  <Condition>
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
           <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
     </Apply>
  </Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"/>

以下是 ESB 中的 EntitlementService 源:

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
   name="EntitlementService"
   transports="https"
   statistics="disable"
   trace="disable"
   startOnLoad="true">
<target>
  <inSequence>
     <entitlementService remoteServiceUrl="https://localhost:9445/services/"
                         remoteServiceUserName="admin"
                         remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg=">
        <onReject/>
        <onAccept/>
        <obligations/>
        <advice/>
     </entitlementService>
     <header name="wsse:Security" scope="transport" action="remove"/>
     <send/>
     <drop/>
  </inSequence>
  <outSequence>
     <send/>
     <drop/>
  </outSequence>
</target>
<enableSec/>
<policy key="conf:/repository/axis2/service-groups/EntitlementService/services/EntitlementService/policies/UTOverTransport"/>
<description/>
</proxy>

在 ESB SOAP 消息跟踪器中,我可以看到以下请求消息:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
        <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
           <wsu:Created>2013-08-05T06:10:20.503Z</wsu:Created>
           <wsu:Expires>2013-08-05T06:15:20.503Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
           <wsse:Username>aaa</wsse:Username>
           <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
        </wsse:UsernameToken>
     </wsse:Security>
     <wsa:To>http://localhost:8280/services/echo</wsa:To>
     <wsa:MessageID>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:MessageID>
     <wsa:Action>urn:echoString</wsa:Action>
  </soapenv:Header>
  <soapenv:Body>
     <ns1:echoString xmlns:ns1="http://echo.services.core.carbon.wso2.org">
        <in>Hello world</in>
     </ns1:echoString>
  </soapenv:Body>
</soapenv:Envelope>

连同以下回复:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <wsa:Action>urn:echoStringResponse</wsa:Action>
  <wsa:RelatesTo>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
  <ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org">
     <return>Hello world</return>
  </ns:echoStringResponse>
</soapenv:Body>
</soapenv:Envelope>

但是在 Identity Server SOAP Message Tracer 中,请求消息和响应消息都是空的。似乎 ESB 没有向身份服务器发送任何消息。

有谁知道出了什么问题?

4

1 回答 1

0

起初 WSO2 ESB 4.7.0 和 WSO2 IS 4.1.0 不是兼容的版本。您可以将 ESB 4.6.0 与 IS 4.1.0 一起使用,或者将 WSO2 IS 4.5.0(即将发布)与当前的 ESB 一起使用。

您面临的“请求中缺少 wsse:Security 标头”的此错误可能是由于 BasicAuth 方案,它首先发送没有用户名和密码的请求,让服务器提交质询。只有在收到挑战后,客户端才会发送 basicAuth 参数。

干杯,

普什帕兰卡

于 2013-08-06T13:22:34.257 回答